Spencer Gifts Health Plan Fined $450K Over HIPAA Violations Tied to 2021 Conti Ransomware Attack
The employee health plan of novelty retailer Spencer's Gifts has paid a $450,000 HIPAA penalty after a federal investigation into a 2021 Conti ransomware breach revealed systemic privacy and security rule failures.
The employer-sponsored health plan of novelty merchandise retailer Spencer's Gifts has paid a $450,000 HIPAA penalty and agreed to implement a corrective action plan to resolve findings of a federal breach investigation into a 2021 attack by now-defunct ransomware gang Conti.
The New Jersey-based health plan reported the data breach in January 2022 as affecting 10,023 people, potentially compromising health plan members' names, addresses, zip codes, phone numbers, email addresses and Social Security numbers, said the U.S. Department of Health and Human Services' Office for Civil Rights on Thursday.
The health plan reported that it first learned of the incident when employees complained that they were unable to connect to the its virtual private network. "The plan discovered that in November 2021, an unauthorized actor accessed the company's network and deployed ransomware, encrypting data on the company's systems, including servers storing the plan's PHI, and demanding a ransom," HHS OCR said. Ransomware gang Conti claimed responsibility for the incident on its dark website in January 2022.
An HHS OCR investigation found the health plan prior to the breach had potentially violated provisions of the HIPAA privacy and security rules, including failing to conduct an accurate and thorough security risk analysis and failing to implement policies and procedures to comply with the HIPAA rules.
Besides paying the financial penalty, under the resolution agreement with HHS OCR, Spencer's Gifts will implement a corrective action plan that the federal agency will monitor for two years. Under that plan, the company agreed to conduct an accurate and thorough HIPAA security risk analysis; review an revise as needed its current HIPAA privacy, security and breach notification rule policies and procedures; and ensure that its workforce is trained in those policies and procedures.
The settlement marks HHS OCR's 20th enforcement action related to ransomware breaches and its 14th enforcement action spotlighting HIPAA security risk analysis deficiencies since the agency launched those two regulatory initiatives a few years ago. The size of the financial settlement with Spencer's - nearly half a million dollars - is noteworthy because of the relatively small number of people affected - about 10,000. Some regulated organizations have faced similar regulatory scrutiny in the wake of much larger HIPAA breaches but paid considerably smaller settlements to HHS OCR.
"OCR's 20th ransomware settlement underscores that the agency is very serious about the quality and strength of compliance programs - not just breach size," said Rachel Seeger, founder and principal of North Country Communications, a consultancy specializing in healthcare crisis response and compliance. "For regulated entities, the lesson is straightforward: Ransomware is a predictable threat, and a breach can open the door to deeper scrutiny."